What You Need to Know About Conficker and How to Avoid Being a Victim (Updated for April 1st)

April Fools' Day might be all fun and games for some, but if you manage to fall prey to the Conficker worm, it's no laughing matter. As reported earlier this month by our very own Mark Soper, the third version of Conficker (Conficker.c) is set to wreak havoc tomorrow, April 1st. Here's what you need to know.

What is Conficker?

Conficker is one of the nastiest computer worms in recent history to go on the warpath against Windows-based PCs. First surfacing in October, 2008, Conficker targets Windows 2000, XP, Vista, Server 2003, Server 2008, Server 2008 R2 Beta, and even Windows 7. To date, Conficker has infected over 9 million PCs, shut down French and British military assests, and prompted a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.

What Does it Do?

The first two versions of Conficker -- variants A and B -- exploit a vulnerability in the Server Service on Windows-based PCs to take advantage of an already-infected source computer. Once infected, the worm goes to work exploiting the network hole, cracking administrator passwords, prevents access to security websites and services for automatic updates, disables backup services, erases recently saved documents, and among other things, also leaves you vulnerable to other infected machines.

What Happens Tomorrow?

One of the scariest things about Conficker, including Conficker.c, is that its full potential isn't known. Come tomorrow, those infected might be prompted to buy fake sofware products, or it could start monitoring your keystrokes to lift sensitive information like banking passwords. Files could end up deleted, or it might transform your computer into a zombie PC while staying under the radar. Whatever it ends up doing, it won't be good, and you need to take proper precautions right now.

How to Tell if You're Already Infected

Once infected, Conficker seals up the hole it used to infiltrate your system preventing other malware from getting in. Because of this, it can be difficult for IT pros to tell which computers have been patched and which might have a fake Conficker patch. But according to the nonprofit Honeynet Project, Conficker.c's buggy code has made it somewhat easy to detect using a newly released proof-of-concept scanner.

"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Other telltale signs that you might be infected with Conficker is if you haven't received any automatic updates from Windows in March, if you're unable to update your antivirus program, or if your security software is running abnormally slow as of late. You can also try accessing major AV sites, as Conficker will attempt to block these.

The Department of Homeland Security (DHS) has released a computer worm detection tool, along with a bevy of other information, which can be found here.

How Can I Avoid Infection?

Drain your savings account, buy a Mac, and hang out at Starbucks all day long. Or to appease the Linux crowd, ditch Windows and dive into Ubuntu. But you don't need to learn a brand new OS or invest in an overpriced computer to avoid Conficker.

One way to avoid Conficker is to disable AutoRun. Details on how to properly do so can be found here. And as with all security-related threats, safe computing habits apply. Avoid websites you're not familiar with, ensure that Windows is fully patched, invest in a security program and download the latest updates, and never download from an unknown or shady source.

Holy S#*t, I'm Infected!

We'll assume here you're talking about your PC (if not, stop scratching it and consult a doctor). There are a number of Conficker removal tools available, such as those found here, here, and here. If going this route, it's a good idea to download the tool(s) from a clean PC rather than your infected one. Note that Conficker also blocks tools with 'Conficker' in the name, so be prepared to rename the file(s) if necessary.

Another option is to create a bootable CD/DVD or USB thumb drive and outfit it with security programs. By doing so, you'll bypass Windows entirely and have a clean slate from which to work from. Just be sure to create bootable media from a clean PC. Also check your security vendor's website for information on creating a bootable rescue disk.

Finally, to err on the extreme side of caution, you can start fresh with a reinstallation of Windows. Whether or not you resort to this, it's a good idea to backup any important data -- work documents, family photos, groovy music -- right away.

Comments

This say is active appreciatable and intellection germinate. <a href="http://funzmania.com/wallpapers">desktop wallpapers</a> Mostly the vistors organisation acuminate set of assembling. In myopic it is so awing. I one it really whatsoever

By any chance you always-on-the-internets-with-no-antivirus have like maybe 14 firewalls or are on dial-up!? Sorry if I strike a nerve, but seriously! Only those who are ignorant and have only used "free" antivirus programs and who look at tremendous amounts of pron claim that going cold turkey with AVs is the way to go.

There are a lot of free anti-viurs apps. I use AVG Free Edition 8.5. I also realize that my AV is important and that goining online without one would be a mistake and possibly disastorus. As for Gordon't internet license, I have written a report expanding the idea: http://nintenpc.tripod.com/public/internet_regulation_speech.pdf. Read it. Then tell my fornesics judges, parents, and sister that I'm not a crackpot. Gordon rules and kids are stupid.

As a consultant, I make sure my clients don't have viruses and none of them do. It's not rocket science. For home users, the free anti-virus programs work great (provided they are updated frequently) so I recommend AVG or Avast. Second, MS updates must be turned on automatic. The days of updates causing major problems seem to be past, but on balance even if they do cause an occasional blip, let's face it, they do a lot more good than evil. Third, I train my clients to be aware of what they're doing. We all have a natural sense of danger when walking down a dark alley, but many don't have any sense of danger when wandering around on the internet. Many of us are suckers just waiting for some popup to tell us we must buy a "registry repair" program - or else... but I teach my clients to NEVER pay attention to any internet popup - ever. Any company who uses this kind of advertising is obviously unable to sell their program by means of any legitimate means, so avoid them like the plague. Many parents don't pay enough attention to what their kids are doing online. Yes, we've all been warned and warned and warned again, but many think so long as their kid isn't chatting with a predator, they are just fine. But these same parents who do their banking online, manage their investments online, and shop online - all which involve transmitting extremely personal information - don't pay attention when little johnny is downloading "warez" or mp3s off of torrent sites which are likely to assault their personal computer with malware, worms or viruses like conflicker. Many of there parents assume their kids are more, "tech savvy" than they are, but even if their kid knew more about how an engine runs would they let their 12 year old drive their new sports car in the bad part of town? How rediculous! And yet, parents allow their children to, "drive" all their personal information around the entire world of theives and miscreants. I take a, "belt and suspenders" approach to this.

First, parents have two choices: get the kids their own computer (NOT in their own room, no matter how much you trust them) or they need their own LIMITED account on the family computer. Parents need to approve each and every download the kids make on the family computer. If the child has his or her own computer it still needs to be protected from the child particularly if the computer is networked to the parent’s computer. Also parents need to monitor the computer or shelve it. I can’t tell you how many computers I have had to “refresh” because of young one’s lack of experience with the internet. This can be expensive and time-consuming unless the parents really know what their doing. Even if the child is technical enough to do this, they obviously weren’t wise enough to protect themselves in the first place, so parents heed my advice: be careful with your children and computers, that is, unless you’re not worried about losing your data or worse yet, having your identity stolen and bank account emptied. Trust me, that’s no fun at all.

supposedly Vista has the same vulnerability to this as XP, but there is some sort of difference in the systems that makes it much more difficult to activate on Vista machines. Making XP much more of a target.

It's the UAC (User Account Control) I turned it on on a machine i don't care about, and hunted for viruses, it does block them from executing. I tried to get AntiVirus 2009, it asks me if i was sure i wanted to install it, the thing is that most people shut it off because it blocked EVERY program you could possibly imagine, unless it had a microsoft license, and still sometimes those ones.

Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.

Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.

Close all the running programs.

If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

Run LiveUpdate to make sure that you are using the most current virus definitions.

When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:

Total number of the scanned files

Number of deleted files

Number of repaired files

Number of terminated viral processes

Number of fixed registry entries

What the tool doesThe Removal Tool does the following:

Terminates the associated processes

Deletes the associated files

Deletes the registry values added by the threat

Removes the scheduled jobs created by the threat

SwitchesThe following switches are designed for use by network administrators:/HELP, /H, /? Displays the help message./NOFIXREG Disables the registry repair (We do not recommend using this switch)./SILENT, /S Enables the silent mode./LOG=[PATH NAME] Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixDwndp.log, in the same folder from which the removal tool was executed./MAPPED Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)/START Forces the tool to immediately start scanning./EXCLUDE=[PATH] Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.)/NOCANCEL Disables the cancel feature of the removal tool./NOFILESCAN Prevents the scanning of the file system./NOVULNCHECK Disables checking for unpatched files./FORCEJOBSREPAIRRemoves the created scheduled jobs.

Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:

The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can lead to missed detections.

If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file.

Therefore, you should run the tool on every computer.

The /EXCLUDE switch will only work with one path, not multiple. An alternative is the /NOFILESCAN switch followed by a manual scan with AntiVirus. This will let the tool alter the registry. Then, scan the computer with AntiVirus with current virus definitions. With these steps, you should be able to clean the file system.

The following is an example command line that can be used to exclude a single drive:

I know this isn't viable for everyone, but for anyone who uses their pc to store vital information, or just doesn't want the hassle of having it knocked out by a virus, you might concider this. I have a high end computer that I use for gaming and making secure transactions. Then I have a second ultra cheap Emachines computer that I paid $299 for (including monitor) that I use only for surfing the web. I don't run many programs on it. I don't really worry about viruses on it, and if something were to happen to it, none of my personal files are on there so a quick restore is pretty simple.

I just red an informative article from Yahoo about this. http://tech.yahoo.com/blogs/null/13246. To those of you going cold turkey for a day or two, this quote from the Yahoo article is for you: "Turning your PC off tonight and back on on April 2 will not
protect you from the worm (sorry to the dozens of people who wrote me
asking if this would do the trick). Temporarily disconnecting your
computer from the web won't help if the malware is already on your
machine -- it will simply activate once you connect again. Changing the
date on your PC will likely have no helpful effect, either. And yes,
Macs are immune this time out. Follow the above instructions to detect and remove the worm."

As for the links to tools to remove it, I'm kind of a skeptic that it'll do the job but i'ts better than nothing and tried Symantecs tool and turned Windows Update "fully on" anyways. Goodluck on everyone tonight.

You are VERY wrong to think this is just hype and that it's a goofy April Fools joke. My recently built PC got hit by this thing, HARD and even though I stopped it fast, it took me 3 weekends to recover or find new version of my files. I'll be doing some console gaming for a week or so until I'm back on the web, this thing is nasty indeed! Hope the clowns behind it end up in a cell with angry Samoan (no offense) drag-queens (no offense again, you get the picture. :O

you just cant say i am very wrong you do not know the answer either. Geesh i never get viruses and i do not use anti-virus software or any type of protection software. Its all about safe web habits. I dont download stupid stuff and i dont look at p0rn. If you keep getting viruses then its your fault not the internets.

If you don't use antivirus software how do you know that you don't have a virus infection on your PC? I mean some viruses are very quiet and do all their work under the table. Like keyloggers and worms that use your PC to send spam to other pc's and all kinds of nasty stuff. Hell just being online without an antivirus program is dangerous.

You'll be sorry if you don't install an antivirus program. I bet you in you install an Antivirus program on your computer that you probably have at least one if not many security threats from malware, spyware to viruses.

i am not a stupid when it comes to the internet thats why. And I also monitor my computers resources, processes, and performance, and do clean it everyday. I can tell if something is up. I also dont download stupid stuff.

The reason why i switched to no anti-virus was because i kept getting viruses. It didnt matter who i had. I had norton, AVG, CA, Avast, ect. I would eventually get a virus and used the same internet habits as i do today. So i did an experiment to see if i could do this without protection and it worked.

Well then you know better than I do. All I know is that my dad keeps uninstalling his antivirus software and then complains when his computer starts acting crazy. It's always a bad printer driver but I use the same driver with no problems.

Just going to popular websites without protection can get you infected.

I'm not stupid but I know it's better to be safe than sorry.

Sure I can drive my car without auto insurence but if I get into an accident or a cop pulls me over I'm completely screwed.

My AV software has no effect on the speed of my system and I rutinely play Crisis with all the eye candy turned on and I get the same frame rates as I do with my AV disabled. I just don't see any reason to risk driving without insurence or running my computer on an always on broadband connection without AV software. I'm running Norton Internet Security 2009 and it rules.

your car insurance story has nothing to do with a computer not having anti-virus software. first off its the law to have car insurance and not the law to anti-virus software. It has been 4 years since i went ant-virus software free and have not had a virus yet on my machine. And i use the computer everyday with the internet on 24/7.

I do not use my AV software (AVG paid version), it's there, on, and never scans, and I have only had one virus ever, downloaded by my mom on her XP Account. I download ISO images from gamecopyworld for my games and mount them to alcohol 120% all the time, I browse the internet regularly, and I never get viruses, especially as someone who uses Torrent downloads for music and viewing movies I don't feel are worthy of even a rental (or rogers has no copies left >_>) I'm a safe browser, if someone ups a cd to a torrent site, I look at the comments before downloading to see what people are saying about it, and I've never been steered wrong. The internet is like a city, safer to be on some streets than others, and avoid the dark, unexplored alleys. Regardless, I'm back on Ubuntu for the next couple of days until this blows over. When push comes to shove, my sig makes all the more sense.

Its outright arrogant to think you won't ever get infected with just "Safe WebBrowsing". Although I believe it's best practice to stay away suspect websites, unknown email attachments and public hotspots, you can't control what another person does on your network. Worms can work thier way through the network onto your pc. I know because back home my brother always got himself into a virus and on some occasions found it's way onto my pc. I also know just because you have virus protection doesn't make you immune. It does a good job of batting away most problems, but it's not perfect. That's where doing a bit of homework comes in.

You also do realize that because you don't visibly notice something that's "up" doesn't mean your safe, right? You guys ever hear of a keylogger? Maybe a Trojan that's just looking for only a snippet of information like say...your logon for your bank account? Legit websites are prone to infection too buddy.

My computer is protected so it's no skin off my back, but if you're that arrogant it's only time before your humbled.

I give up. We are not going to win. These anti antivirus people just have their minds made up. To them they are right and we are wrong. It's just not worth arguing about it with them. But I do have a problem with people like that convincing other people that going without AV software is the proper way to use the internet when it's not.

With this logic of no AV you probably agree that all guns should be banned so you have to rely on the cops to protect you from rapists and armed robbers and trust in these thugs and robbers not to kill you as they assult you and take your belongings. But at least you'll be able to call the cops afterword and they can investigate.

Go without AV is like going without a means to protect yourself. But I'm not going to argue with these anti AV guys I'm just going to try and convince others from going that route.

I have this feeling that this conflicker worm is a april fools joke in itself. All this hype about it getting everybody worried and trying to get protected, then April 1st comes and nothing happens, or it just attacks everbody on April 2nd and we still all die. So who knows :)

i got hit by this thing once (my family enjoys using my desktop and being careful at what they do on the internet. And its a real (c word here) it destroys your whole computer. Im backing up all my movies game saves etc and checking my pc! Its PC Armageddon, or could be

I second this. And in response to vista being vulnerable to executing it... turn UAC on for a secondary measure, more than likely it runs as admin though, so it could Bypass UAC. Things like this are why UAC was made. even though i have it turned off. I'm in the technical field for work, so when i mass email everyone i know to prepare, they damn well listen.

I just downloaded and now scanning my PC with the Symantec tool jus to be on the safe side. I can access all major computer security sites, so that there says I am safe. I also did a test with a .exe name "ConfickrRemover.exe" and nothing happened.